Hi all. I started up Outlook to get my email last night and got a bunch of delivery failure notices for email I didn't send. The "from" address was from my website's domain, but they were sent from user accounts that don't exist. The emails that were kicked back as underliverable were all typical SPAM for Viagra and other pharmacy drugs. I shut my machine down to keep it from sending any more until I could investigate more.
I have a website that is hosted by ICDSoft ( I only have one valid email address there, and that's mine. [ignore]sam@mydomain.com[/ignore] (not my actual domain name). The SPAM emails were from addresses like "[ignore]Shirly.Harris@mydomain.com[/ignore]". The domain name was mine, but the usernames were all bogus. I have it set to route any incoming email for unknown users to my valid email, so that's why I got all the undeliverable notices.
My home PC is on 24x7 via cable modem, and has a Netgear Firewall/Router to allow a number of machines to connect to and use the Internet. I have Norton Internet Security installed and running. I regularly run both Adaware and spybot, neither of which found anything.
Is my PC a SPAM Zombie? Or could they me sending it directly to my mailserver? The hosting company puts my site on a Linux box that's shared with several other sites. Could they be sending it there as if it was me sending it? If so, would changing my email password block that?
I ran Hijack This, but don't really know what I'm looking at. I did delete a few things, but I figure I better seek some advice before going further. Can anyone look at the HijackThis log and tell me if I'm still a SPAM Zombie or if I killed the correct entries?
Any help would be appreciated. Thanks in advance.
I have a website that is hosted by ICDSoft ( I only have one valid email address there, and that's mine. [ignore]sam@mydomain.com[/ignore] (not my actual domain name). The SPAM emails were from addresses like "[ignore]Shirly.Harris@mydomain.com[/ignore]". The domain name was mine, but the usernames were all bogus. I have it set to route any incoming email for unknown users to my valid email, so that's why I got all the undeliverable notices.
My home PC is on 24x7 via cable modem, and has a Netgear Firewall/Router to allow a number of machines to connect to and use the Internet. I have Norton Internet Security installed and running. I regularly run both Adaware and spybot, neither of which found anything.
Is my PC a SPAM Zombie? Or could they me sending it directly to my mailserver? The hosting company puts my site on a Linux box that's shared with several other sites. Could they be sending it there as if it was me sending it? If so, would changing my email password block that?
I ran Hijack This, but don't really know what I'm looking at. I did delete a few things, but I figure I better seek some advice before going further. Can anyone look at the HijackThis log and tell me if I'm still a SPAM Zombie or if I killed the correct entries?
Code:
Logfile of HijackThis v1.97.7
Scan saved at 9:41:11 AM, on 9/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\SYSTEM32\starter.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\system32\CTHELPER.EXE
C:\sj655\hpupdate.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Samuel T. Pawley\Desktop\downloads\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\tahxt.dll/sp.html#11111
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL unfurl="true"]http://orangecounty.cox.net/[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\tahxt.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\tahxt.dll/sp.html#11111
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\tahxt.dll/sp.html#11111
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
N3 - Netscape 7: user_pref("browser.startup.homepage", "[URL unfurl="true"]http://home.netscape.com/bookmark/7_1/home.html");[/URL] (C:\Documents and Settings\Samuel T. Pawley\Application Data\Mozilla\Profiles\default\1me0bsw5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Samuel T. Pawley\Application Data\Mozilla\Profiles\default\1me0bsw5.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E283D982-2D72-B9EE-C897-9B499BF82FAA} - C:\WINNT\system32\iedr32.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\SYSTEM32\starter.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HP Update 4200C] C:\sj655\hpupdate.exe 4200C+
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iphg.exe] C:\WINNT\system32\iphg.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ntfa.exe] C:\WINNT\system32\ntfa.exe
O4 - HKLM\..\Run: [ieur32.exe] C:\WINNT\system32\ieur32.exe
O4 - HKLM\..\Run: [iehb32.exe] C:\WINNT\system32\iehb32.exe
O4 - HKLM\..\Run: [netrb32.exe] C:\WINNT\netrb32.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [Oaac] C:\Documents and Settings\Samuel T. Pawley\Application Data\tirs.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Stoe] C:\Documents and Settings\Samuel T. Pawley\Application Data\creh.exe
O4 - HKCU\..\Run: [Dtwkckwk] C:\WINNT\system32\??plorer.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .rx: C:\Program Files\Internet Explorer\Plugins\npwrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet Explorer\Plugins\npwrqxrx.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll